diff options
| author | Lunny Xiao <xiaolunwen@gmail.com> | 2023-11-26 01:21:21 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-11-25 17:21:21 +0000 |
| commit | 882e5023270ed844a4b2911e555e82fe905869e4 (patch) | |
| tree | 4d0d28ccf485e123ea7cbe719e7a414065ffba17 /routers/api/v1/repo/issue_reaction.go | |
| parent | 80217cacfc3fcf0ffa0dc203843c11e318f85d19 (diff) | |
| download | gitea-882e5023270ed844a4b2911e555e82fe905869e4.tar.gz gitea-882e5023270ed844a4b2911e555e82fe905869e4.zip | |
Fix comment permissions (#28213)
This PR will fix some missed checks for private repositories' data on
web routes and API routes.
Diffstat (limited to 'routers/api/v1/repo/issue_reaction.go')
| -rw-r--r-- | routers/api/v1/repo/issue_reaction.go | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/routers/api/v1/repo/issue_reaction.go b/routers/api/v1/repo/issue_reaction.go index 29c99184e7..c886bd71b7 100644 --- a/routers/api/v1/repo/issue_reaction.go +++ b/routers/api/v1/repo/issue_reaction.go @@ -61,6 +61,12 @@ func GetIssueCommentReactions(ctx *context.APIContext) { if err := comment.LoadIssue(ctx); err != nil { ctx.Error(http.StatusInternalServerError, "comment.LoadIssue", err) + return + } + + if comment.Issue.RepoID != ctx.Repo.Repository.ID { + ctx.NotFound() + return } if !ctx.Repo.CanReadIssuesOrPulls(comment.Issue.IsPull) { @@ -190,9 +196,19 @@ func changeIssueCommentReaction(ctx *context.APIContext, form api.EditReactionOp return } - err = comment.LoadIssue(ctx) - if err != nil { + if err = comment.LoadIssue(ctx); err != nil { ctx.Error(http.StatusInternalServerError, "comment.LoadIssue() failed", err) + return + } + + if comment.Issue.RepoID != ctx.Repo.Repository.ID { + ctx.NotFound() + return + } + + if !ctx.Repo.CanReadIssuesOrPulls(comment.Issue.IsPull) { + ctx.NotFound() + return } if comment.Issue.IsLocked && !ctx.Repo.CanWriteIssuesOrPulls(comment.Issue.IsPull) { |